Keeping the bad guys at bay

Keeping the bad guys at bay

By Richard W. Walker

Sep 07, 2001

Feds size up security

Source: GCN telephone survey

OVER THE LONG HAUL: Ferreting out and closing loopholes in systems over and over again is what makes security management a task of sustainment rather than an adrenaline-driven effort, NASA's David Nelson says.

Air Force deputy CIO John GIlligan says that the Code Red worm didn't affect many of the service's systems directly, but Air Force systems were severed from the Internet as a precaution.

Although a blitz of colorfully named viruses embedded in e-mail attachments, such as ILoveYou and Kournikova, sounded alarms and created havoc in the last year, it was the recent Code Red attack that really shook things up.

Code Red is a malicious worm of a different sort and spectacularly insidious. It exploits a weakness in Microsoft Internet Information Server software, installs a copy of itself and then searches the Internet for systems running unprotected versions of IIS.

It was followed shortly by Code Red II, an unrelated but even trickier worm that uses a similar exploit to gain access to systems and plant a back door in systems to propagate itself.

The specter of similar self-propagating attacks coming down the pike is weighing heavily on the minds of top federal security executives.

'We're looking at a new dimension in the past 80 days,' said Ronald Dick, director of the National Infrastructure Protection Center. 'Writers of malicious code are discovering ways to use software to locate thousands of other computers. They're taking advantage of vulnerabilities in operating systems, building massive network attacks and doing it in an automated fashion.'

The Code Red attack 'was a good example of harnessing the enemy to be your agent,' Nelson said.

John Gilligan, Air Force deputy CIO and co-chairman of the CIO Council's security committee, found out how a worm attack can disrupt an agency's ability to do business.

'The impact to the Air Force of Code Red was enormous,' he said. 'We had very few systems that succumbed to the worm, but a policy decision was made to sever our connectivity to the Internet. That had a very large impact on our ability to operate because we are increasingly interdependent with industry and the suppliers who access our systems and provide us with services.'

How great is the threat of malicious code?

'It's a put-me-out-of-business threat,' said Alan Paller, director of the SANS Institute of Bethesda, Md. He estimated the cost of Code Red damages at $2 billion to $3 billion.

In large part, the threat is exacerbated by the open nature of the Internet.

'A lot of the problem is in the infrastructure,' said Tom Haigh, chief technology officer for Secure Computing Corp. of San Jose, Calif., which has Air Force, Marine Corps and Navy users. 'The Internet wasn't built to be used the way we're using it. When it started as Arpanet it was a bunch of researchers in labs and universities who all knew each other. Now we have hundreds of millions of people using the Internet, and they're certainly not one community of interest.'

The Net is intrinsically insecure, Nelson agreed: 'The same Internet that provides us such a marvelous communications vehicle also allows news of vulnerabilities and exploits of them to spread quickly. So we see a discovered vulnerability quickly turn into an exploit.'

The situation is made even worse by electronic commerce and electronic government, which are expanding access to systems via the Internet.

'The big problem now is that we have more and more outsiders becoming virtual insiders,' Haigh said. 'That requires new security technologies that we haven't used in the past. Simply putting firewalls on the perimeters is woefully inadequate at this point. There's a big payoff to collaborative e-business or e-government, but there's also an awful lot of risk associated with it.'

Security vulnerabilities in shrink-wrapped products, such as the one that Code Red exploited in Microsoft IIS, are also a growing concern among agencies' systems managers.

'The rapid proliferation of malicious code can only be effective when there is a plethora of vulnerabilities to exploit,' said Dave Jarrell, technical director for the General Services Administration's Federal Computer Incident Response Center.

'For years, the public and private sectors demanded ease of use, high-speed processors and large storage capabilities,' he said. 'We really didn't demand in the past that security be built into these systems. We're now seeing a change in this attitude.'

The lack of security standards for commercial products is especially vexing to Linda Burek, deputy CIO and assistant attorney general for IRM at the Justice Department.

For Burek, there's more to life in IT than endlessly downloading patches to deal with the latest code threat.

'These items are basically sold to us open and not secure,' she said. 'First, we have to have systems administrators lock them down, which is difficult enough, but then there are all these patches coming out, and updates have to be done. Even our very best security people are having great difficulty keeping up with this environment.'

Burek and Kevin Deeley, Justice's assistant director for information security, are leading an effort to get vendors to build security standards into their products.

'In the federal community, we want to buy a closed box,' she said. 'We want it secure the day we purchase it. I think there's a big disconnect between the vendor thinking we want open systems and those of us out here saying we don't.'

Burek and Deeley recently met with a group of vendors, most of which do a large amount of business with Justice, about the lack of security standards in their products.

'We wanted to get the message to them that we needed them to be more proactive in helping us solve the problem,' she said.

The vendors are beginning to listen but 'it's a big job,' Deeley said. 'It's an evolving process.'

Burek also said Justice is looking at putting security requirements into contracts.

'We're going to work on some procurement language that we could include in our contracts to purchase equipment and software so that we're buying more software that's locked down when we purchase it,' she said.

Feds also are looking at more systematic, proactive ways of coping with threats. There is growing interest in the use of metrics, for example.

'I view metrics as an essential element of any effective government or private-industry information security program because, absent metrics, I don't really think you can assess how well you're doing,' Gilligan said.

The CIO Council has drafted a set of metrics that will be released in late fall, Gilligan said.

'We are now fine-tuning the metrics and trying to come up with an implementation strategy,' he said. The draft will reflect the types of weaknesses that commonly contribute to security vulnerabilities and how agencies can use metrics to gauge their systems' weakness.

Although metrics and other strategies, such as more effective IT management, can help agencies manage the security environment, officials lose sleep over potential threats on the horizon as attackers begin to deploy more sophisticated technologies.

'There are the ankle-biters, the hackers who don't necessarily know what they're doing,' Haigh said. 'They're a nuisance. Once in a while one will cause problems, like the ILoveYou virus.'

But it's what Haigh calls the deep threats that worry security officials most.

'Our government customers worry about the people who are trying to turn computers into intelligence assets that can be used for espionage,' Haigh said. 'There is the concern foreign agents or terrorists may even now be installing Trojan horses in our critical infrastructure that will be triggered to go off at some time in the future.'

Gilligan agreed: 'The threat that concerns me the most is the one we don't see. It's a threat from a true economic or military adversary who is doing reconnaissance at such a level of sophistication that we're just not seeing it. ' That keeps me up at times.'